Entra SSO via OpenID throws 401

[mowe]

I installed PVE 9.1.8 yesterday on a host and am now trying to set up Entra SSO with Microsoft 365.
The app is authorized, has enough permissions, sign-in succeeds, and even the auth data is transmitted via the URL.
For some reason I do still get the following error:

OpenID login failed, please try again
authentication failure (401)

Does anyone have an idea what could cause this issue?

 

[a.bied-charreton]

Hey, can you please share the output of journalctl -xeu pvedaemon when attempting an OpenID login?

 

[mowe]

Hey, can you please share the output of journalctl -xeu pvedaemon when attempting an OpenID login?

Apr 21 16:11:16 PVE1 pvedaemon[1634]: openid authentication failure; rhost=::ffff:10.151.150.135 msg=Failed to verify ID token: Expired: ID token expired at 2026-04-21 14:10:42 UTC (current time is 2026-04-21 14:11:16.128957657 UTC)

root@PVE1:~# date
Tue Apr 21 05:38:15 PM CEST 2026

Seems like the freshly provided token is already expired?